[rpms/openssl] rebase_40beta: disable SSLv3 by default again

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/openssl] rebase_40beta: disable SSLv3 by default again
@ 2026-06-09 12:43 Tomas Mraz
  0 siblings, 0 replies; only message in thread
From: Tomas Mraz @ 2026-06-09 12:43 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/openssl
            Branch : rebase_40beta
            Commit : 80b5477597e9f0d9fababd854adfb4988b37efd5
            Author : Tomas Mraz <tmraz@fedoraproject.org>
            Date   : 2014-11-20T10:25:56+01:00
            Stats  : +8/-3 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/openssl/c/80b5477597e9f0d9fababd854adfb4988b37efd5?branch=rebase_40beta

            Log:
            disable SSLv3 by default again

Mail servers and possibly LDAP servers should probably allow
it explicitly by SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3) call
for buggy legacy clients on the smtps, imaps, and ldaps ports.

---
diff --git a/openssl-1.0.1h-disable-sslv2v3.patch b/openssl-1.0.1h-disable-sslv2v3.patch
index 7a028aa..83afda0 100644
--- a/openssl-1.0.1h-disable-sslv2v3.patch
+++ b/openssl-1.0.1h-disable-sslv2v3.patch
@@ -5,8 +5,8 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
  	 */
  	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
  
-+	/* Disable SSLv2 by default (affects the SSLv23_method() only) */
-+	ret->options |= SSL_OP_NO_SSLv2;
++	/* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
++	ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 +
  	return(ret);
  err:

diff --git a/openssl.spec b/openssl.spec
index e7ee263..191531e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1j
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -478,6 +478,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Nov 20 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-3
+- disable SSLv3 by default again (mail servers and possibly
+  LDAP servers should probably allow it explicitly for legacy
+  clients)
+
 * Tue Oct 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-2
 - update the FIPS RSA keygen to be FIPS 186-4 compliant
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-09 12:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:43 [rpms/openssl] rebase_40beta: disable SSLv3 by default again Tomas Mraz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox